Notices by Soatok Dreamseeker (soatok@furry.engineer)

People can't help but try to evangelize Matrix in response to things I wrote, so I just disclosed a few more issues to Matrix's cryptography.

This time, the issues were in their Rust library, vodozemac.

One of them was pretty fucking stupid.

@sophieschmieg @q same

The Discourse has been Automated

https://xeiaso.net/notes/2026/the-discourse-has-been-automated/?utm_campaign=mi_irl&utm_medium=social&utm_source=mastodon

@riley @ariadne My project https://publickey.directory makes this a dumb HTTP call.

@Foxarc lmao that would be hilarious

RE: https://furry.engineer/@soatok/116055556402436098

By the way, I'm not giving them 90 days this time.

Last time I did that, they didn't bother to actually fix anything, so they didn't actually need any of that time. So they lost that privilege.

Expect a public disclosure / write-up as soon as I feel like it.

@chuff Happens, no worries

@shitpostalotl I ask myself that same question.

This is why I stop myself from looking at rando projects when people toss "But what about Slopchat?" my way in response to one og my blogs on something unrelated.

“can you recommend an alternative?” no. that’s why I’m so fucking angry. we fucked it. we’re no longer capable of making online chat protocols or web browsers or discussion forum software that people actually want to use. it’s all shit. every choice is either proprietary and exploitative or awful open source garbage sucking all the air out of all alternatives and forks, operated by fucking terrible people. we let this happen.

you want there to be an alternative so you can skip being angry too.

@nathanael @socketwench Many reasons, acrually.

If evrything is encrypted, then that fact ceases to be remarkable. More chaff, less wheat. More noise, less signal. It also becomes less special and people stop treating it like uber secret spy comms for ultra leet opsec. It's just chat.

But it also keeps plaintext off the server. Service operators don't get legal demands to surrender evidence they don't have. It makes federation less risky for smaller nodes.

It also makes E2EE table stakes. Which means services that follow suit have less data to get breached, or to train an AI on.

Ubiquitous enceyption is just a damn good idea.

People can't help but try to evangelize Matrix in response to things I wrote, so I just disclosed a few more issues in Matrix's cryptography to their security@ email address.

This time, the issues were in their Rust library, vodozemac.

One of them was pretty fucking stupid.

I'll do a better write-up than I was initially planning when they've had time to fix it.

@kiri Given that my previous disclosure was in May 2024 (published August 2024), and then https://furry.engineer/@soatok/116055556402436098...

Yeah, probably not.

@jackemled https://web.archive.org/web/20260211235740/https://news.ycombinator.com/item?id=46979742#46982871

@chuff https://furry.engineer/@soatok/116054674014648064

@lunemercove Haha fair

The crucial thing Arathorn hasn't figured out is he's his own worst enemy when it comes to public relations.

Several folks have told me they stopped trusting Matrix. But not because of my write-up. They stopped trusting Matrix because of how Matrix responded to my write-up.

They couldn't just said something banal like, "Thanks for contributing to the security of Matrix," and done less damage to their own reputation.

There are more pathetic comments on the Hacker News thread.

For example:

(Would you believe this guy has -18 karma?)

@tbortels The situation today: Discord is centralized but has the budget for lawyers.

A "decentralized" Discord without E2EE will result in people that want to host them to get hammered with legal demands for content and metadata that they do not have the resources to defend against, all under the illusion of decentralization.

You might call such an outcome Robustness Theater, in the spirit of Bruce Schneier's term, Security Theater.

The Matrix guy is incentivized to control the narrative here. No surprise there.

But I implore anyone paying attention to critically evaluate the facts and what he said then as well as what he's saying now.

@mochabeau Yes. It, like XMPP, has a plaintext mode, which means it's not in the same league as Signal to begin with. (And some asshole talking over me to tell people to use Matrix instead of Signal is what prompted me to even look at their code then.)